Maand: december 2018

In this hacking tutorial we are going to upgrade a Netcat shell to a Meterpreter shell in 3 simple steps. First we will use the multi handler module in Metasploit to intercept the reverse shell using a Linux x86 payload. Then we will issue the reverse shell on a Linux host with a Bash reverse shell. Finally we will use the post exploitation Metasploit module shell_to_meterpreter targeting the session with the reverse Bash shell.

Step 1: Setting up a Metasploit Multi Handler

Let’s fire up Metasploit and setup the multi handler to intercept a reverse Bash shell on port 443 with the following command:

Now that we have got a listener running on port 443 we can issue the bash command on the target host to setup a reverse shell and connect back to the attack box. Please note that we are executing this command on the target host from the command line. In real life penetration testing scenario’s this command is often executed through remote code execution (RCE) exploits using various attack vectors.

On some occasions you might receive a permissions related error when running this exploit. In this tutorial we have a root shell with write access on the path the regular Bash reverse shell is pointing to. In order to successfully run this exploit the target sessions needs write access to its current location. Switching the directory to /tmp will often do the trick, otherwise you have to find another location to write the payload to.

At this point we have an active Meterpreter session with the target host. We are now able to use this session for port forwarding with portfwd, dump system hashes and run post exploitation Metasploit modules on either of the sessions. Many of local Metasploit modules take a session id instead of a rhost parameter, this is where you supply the session id from the Meterpreter shell.

Lessons learned

In this tutorial we have followed 3 steps to upgrade a regular Netcat or Bash reverse shell to a Meterpreter shell:

Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing and black box testing. Holiday is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.25 so let’s begin with nmap port enumeration.

As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this scrip below to convert string to ascii code.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

We run the shell using command injection vulnerability on the target machine.

GET /admin/export?table=notes%26/tmp/mpshell53 HTTP/1.1

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

python-c"import pty; pty.spawn('/bin/bash')"sudo-l

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

Today we are going to solve another CTF challenge “Sneaky” which is available online for those who want to increase their skill in penetration testing and black box testing. Sneaky is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Today we are going to solve another CTF challenge “Waldo”. Waldo is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Mediun

Task: To find user.txt and root.txt file

Let’s start off with nmap command to find out the open ports and services.

When I add a list, it is added in numerical order, and always named list[x], where x is an increasing int.

Under the Hood

If I watch what’s happening as I create and delete lists and items in a proxy (like burp, or firefox dev tools), there’s a series of POST requests to 4 php scripts:

dirRead.php

fileRead.php

fileWrite.php

fileDelete.php

Here’s an example selection of requests from burp generated by interacting with the site:

dirRead.php

If I pull up one of the POSTs to dirRead.php, I’ll see a request which includes a path:

Site Source

I can pipe the curl output into jq with the -r flag to print the string as raw, and select the fileobject (if you don’t know jq, you should check it out – it comes in handy in so many situations with json data.

Fortunately for me, that style filter can be bypassed by including a string that, after the str_replace, will result in what I want. str_replace is not recursive. It only makes one pass over the string. So, str_replace( array("../", "..\""), "", "....//") == "../".

Privesc / Pivot: nobody -> monitor

Discovery

The next step involves noticing a bunch of things that are acting weird and some experimentation (or, if you’re on free, noticing in the process list that someone else has already sshed into localhost as monitor).

The private key I found was named .monitor. I used it with nobody, but it didn’t have that name in it.

monitor isn’t a user on this host.

ssh on this box is configured to listen on 8888. When I tried to talk to 8888 from the attacker box, it hangs (remember the filtered return from the original nmap). But here’s the interesting parts from the ssh config:

For each editor, they link back to the normal versions. Sometimes there’s an r in front of the name (to imply restricted). Neither nano nor most have any ability to run shell commands.

red is the name for the restricted version of ed, that doesn’t allow you to call system commands from inside it, for example. But this red just links back to unrestricted ed, not to an instance of red.

To escape rbash via ed, I’ll take advantage of ed’s ability to run shell commands. From the edman page:

!command

Executes command via sh(1). If the first character of command is ‘!’, then it is replaced by text of the previous ‘!command’. ed does not process command for backslash () escapes. However, an unescaped ’%’ is replaced by the default filename. When the shell returns from execution, a ‘!’ is printed to the standard output. The current line is unchanged.

Unintended Route: ssh -t

The PATH is missing several entries and it is not possible to specify absolute paths. As the gnu.org article below on “The Restricted Shell” states, it is not possible to set the PATH variable in rbash.
https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html
Fortunately, the SSH “-t” switch allows a tty to be forced for the login, which will bypass rbash.
After exiting the current restricted shell, the command below is executed.

On the free servers, which had a lot of users going at once, this way was often given away because it shows up in the process list of the container, so once someone figured it out, it was obviously there for others to grab and use.

Privesc: Full Disk Read as root

Enumeration of the home directory reveals various binaries and “logMonitor-0.1” seems interesting as it might have been conferred privileges in order to read log files. However, the SETUID bit has not been set.
A less well-known technique of allowing binaries to run with elevated privileges are Linux Capabilities. The Post “Linux Capabilities – A friend and foe” by m0noc provides a good overview of this subject.
https://blog.m0noc.com/2016/05/linux-capabilities-friend-and-foe.html
A check for assigned capabilities can be performed with the getcap utility

Capabilities

Linux has a concept of capabilities, which allow you to assign a program rights to do certain things typically reserved for root. So, for example, the CAP_NET_BIND_SERVICE capability allows a program not running as root to bind to a port under 1024.

If I look at this program, using getcap, I’ll see it has a capability assigned:

Today we are going to solve another CTF challenge “Dropzone”. Dropzone is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Let’s start off with nmap command to find out the open ports and services.

Nmap – udp

PORT STATE SERVICE VERSION
69/udp open tftp SolarWinds Free tftpd

Initial Access

Managed Object Format

There weren’t a whole lot of options for a way forward on this box. We were limited to a single UDP port with the ability to read from / write to the filesystem. The key was to leverage that limited capability into RCE. Enter Managed Object Format (MOF) files.

There is an excellent write-up on MOF files and how they were used by Stuxnet here. If the topic is new to you, please take a look there. Any explanation of mine will pale in comparison. When reading through that write-up, you’ll notice that Windows XP exhibits some interesting behavior regarding MOF files and Windows Management Instrumentation (WMI).

MOF files loaded into C:\windows\system32\wbem\mof are auto compiled and registered into the WMI repository

Registered MOF consumers run with SYSTEM privileges

These two things together are a good indicator of the way forward, given our current situation. However, it would be good if we could confirm that we’re actually dealing with a Windows XP machine before proceeding.

EULA.txt

Because we can only read from the filesystem via tftp, we can check the Windows version and service pack by grabbing the End-User License Agreement. There are two places to check for this (that vary based on version).

On Windows XP it’s found at C:\windows\system32\eula.txt.

Windows 7 stores the EULA at C:\Windows\System32\license.rtf.

We can use our current access to grab the EULA and verify that we’re dealing with Windows XP.

Now we know that we’re dealing with Windows XP SP 3 and can move forward with our malicious MOF plan.

Creating a MOF File

To generate a malicious MOF file, I pored over blog posts. I read through Microsoft developer docs. I altered, tweaked, uploaded, and failed. Many times. Though, while researching, I found an interesting file in the metasploit framework, wbemexec.rb. This file was the golden ticket for me.

I tell you about my failures, because in the end, I cheesed it. The file linked above contains a function called generate_mof. I took the template MOF it kept for use inside MSF and replaced code in the same places that metasploit would in order to generate a final payload.

The code below is my final puckie.mof. I really only had to change the name of the class and the executeable to run as shown in the highlighted code below.

With all the necessary pieces in place, we can upload our MOF file to the box. Recall the path to the folder where MOF files are automatically compiled is C:\windows\system32\wbem\mof. We’ll reuse our tftp connection to drop our MOF file there in the hopes that we receive a callback.

root.txt

It seems that the creators felt that dropping onto a box as SYSTEM was a little too easy because where we would normally see root.txt, we are instead greeted with this message.

C:\docume~1\administrator\desktop\root.txt
════════════════════════════
It's easy, but not THAT easy...

2 for the price of 1!.txt

Also on the desktop, there is a folder named flags. Inside there is a file named 2 for the price of 1!.txt. Here are the contents.

C:\docume~1\administrator\desktop\flags\2 for the price of 1!.txt
════════════════════════════
For limited time only!
Keep an eye on our ADS for new offers & discounts!

Alternate Data Streams

The ADS in the file above is a pretty strong hint pointing us toward alternate data streams. Luckily for us, there is a great sysinternals tool streams.exe that is made specifically for examining alternate data streams. Let’s get it on target and see what there is to see.

Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Let’s start off with nmap command to find out the open ports and services.

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2:sp1 and you can also read the domain name “active.htb”.

So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS. Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP)

Access Victim’s Shell via SMB connect and Privilege Escalation

In nmap scanning result we saw port 88 was open for Kerberos, hence their much be some Service Principal Names (SPN) that are associated with normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py

Kerberoasting
Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.
When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.
In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service

Here we see that before requesting the TGS for a particular SPN, Impacket makes an (AS_REQ) Authentication Server Request and that the server responds with the TGT for this SVC_TGS service account. Note that the krbtgt doesn’t use the same encryption that the following TGS.

Then Impacket makes a TGS request that includes TGT information. Finally, the server responds with a TGS and Impacket format it in krb5tgs which is recognized by JTR and HC.

Today we are going to solve another CTF challenge “Nineveh”. Nineveh is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt

Let’s start off with our basic nmap command to find out the open ports and running services.

We see the directory /department/, containing a directory itself of /files/. Seems interesting, so lets take a look into this:

Cool, we have a login over web. Trying typical logins, we notice the site warns when we have a bad username. Enter username ‘admin’ and it tells us bad password. Now that we have the username enumerated, lets use hydra and rockyou.txt to brute force login:

Notice in the above image, the URL specifies a file to read from. This may come in handy later on, but for now lets just keep it in mind. Since there is not much left to look at, lets run a dirb on port 443:

Cool, now we have a login for phpliteadmin too! Logging in we see the typical phpMyAdmin page, where we can create new databases and tables. Lets create a new database called ninevehNotes.php, since back over on the port 80 side, it reads ninevehNotes.txt in the notes page. We can create the page, make one table in the database, and give it a simple php reverse shell

Having a netcat listener running on my local host allows me to catch the /bin/bash that I piped to my IP:

Taking a look around, first thing I do is check out the root directory. The first thing noticed is a directory called /report. Inside this directory is a few text files containing the output from a known rootkit checker called chkrootkit. The files are dated by minute, and you can view from which cronjob it is with cronmonit.sh from ippsec

Using searchsploit, we learn chkrootkit is vulnerable to executing a certain file as root when ran:

Cool, next thing we need to do is make a file called /tmp/update which will shot back a reverse shell, which will be run as root. Again dipping into the reverse shell cheat sheet, we can use a bash backdoor:

Today we are going to solve another CTF challenge “Brainfuck” which is retired vulnerable lab presented by Hack the Box for making online penetration testing practices according to your experience level. Although in this challenge you can test your expertise by WordPress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will get in this lab.

Level: Hard

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.

From given above image, you can observe we found so many ports are open such as 22,25 and so on in victim’s network and moreover I got three domain names as highlighted

Now the next option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb brainfuck.htb as host name.

Then I explored all three domain names one by one in web browser but when I explored https://brainfuck.htb found following webpage page which was indicating that it is a wordpress site and pointing toward SMTP mail Id orestis@brainfuck.htb as highlighted in below image.

Now we decided to use wpscan on the target URL, that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

Then explore wp.html file in localhost server as shown below and click on login tab.

By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck.htb once again.

Inside admin dashboard I looked at plugin for further step where I found SMTP plug-in.

It was terrific moment when I saw user authentication login are filled in text field. So I read username “orestis” but password was in bold character, which I need to convert in plain text using inspect element.

Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I ran retr 1 command but didn’t get any useful message and move to another message by running retr 2.

Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realized this credential could be connected to sup3rs3cr3t.brainfuck.htb which I had explored in web browser.

Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.

Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it looked like he is secretly sharing any encrypted URL.

Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).

Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.

Now you’re Question: How it become possible?

And my answer is: observe the given below step carefully:

From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.

With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message“BrainfuCkmybrainfuckmybrainfu”

If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we have successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.

From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.

And without wasting time I executed following command for login into SSH using 3poulakia! as password.

root@kali:~/htb/brainfuck# ssh-iid_rsa orestis@10.10.10.17

Great!! I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I checked for available files in current directory which are inside it.

Apart from user.txt I found three more files in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.

When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt

When I open debug.txt and output.txt, here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/ and after that copied entire script into text file for decryption.

As describe in crypto150 algorithm I placed 1st, 2nd & 3rd line of debug.txt equal to p, q, e respectively. Ct is equal to content of output.txt as shown below and saved it as decrypt.py

Today we are going to solve another CTF challenge “Inception”. Inception is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Hard

Task: To find user.txt and root.txt

Let’s start off with our basic nmap command to find out the open ports and running services.

I’ve truncated a lot of the noise that we get from the pdf and put the base64 into a file, then decoded. This process is very cumbersome to do over and over. So to speed up enumeration I used a python script to do it all easily.

Much easier. Also note here that cobb could be a possible user for us to target later.

After a lot of config enumeration we find this in the apache default virtual host config file:

root@kali:~/htb/inception# ./lfi.py /etc/apache2/sites-enabled/000-default.conf<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that# the server uses to identify itself. This is used when creating# redirection URLs. In the context of virtual hosts, the ServerName# specifies what hostname must appear in the request's Host: header to# match this virtual host. For the default virtual host (this file) this# value is not decisive as it is used as a last resort host regardless.# However, you must set it for any further virtual host explicitly.#ServerName www.example.comServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.confAlias /webdav_test_inception /var/www/html/webdav_test_inception
<Location /webdav_test_inception>
OptionsFollowSymLinksDAV On
AuthTypeBasicAuthName "webdav test credential"
AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd
Requirevalid-user</Location>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And now we can browse to our file and test command execution.After looking around in /var/www/html we find an old wordpress folder that no longer seems active. Inside we can see the wp-config.php that contains database credentials.

So now we have a password but SSH isn’t open on the box. We’ll need to do some more enumeration. We already know the squid proxy allows us to pass traffic through it, so we can try to enumerate the box through the proxy and see if SSH is open that way. To do this we use proxychains

Privilege Escalation

We quickly see that cobb has full sudo permissions and we can escalate to root instantly. However we are only left with a clue inside of root.txt.

cobb@Inception:~$ sudo -l
[sudo] password for cobb:
Matching Defaults entries for cobb on Inception:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User cobb may run the following commands on Inception:
(ALL : ALL) ALL
cobb@Inception:~$ sudo bash
root@Inception:~#
root@Inception:/root# cat root.txt
You're waiting for a train. A train that will take you far away. Wake up to find root.txt.

Again, we’ll need to do more enumeration to see where we need to go from here. If we check netstat we see something interesting.

So we can see that every 5 minutes apt-update is running. custom.log doesn’t have anything useful in it besides telling us when it’s running. What is useful is that we are able to run commands everytime apt-updateruns by placing a file inside /etc/apt/apt.conf.d.

Our format for the file content is: APT::Update::Pre-Invoke {"command"} and we will need to name our file with numbers prefixed. So we’ll use 00command as our file name.

Today we are going to solve another CTF challenge “Kotarak”. Kotarak is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Hard

Task: To find user.txt and root.txt

Let’s start off with our basic nmap command to find out the open ports and running services.

Tomcat 8.5.5 is running
To access it we need a valid password, let’s find it.

Port:- 60000
On this port a private web service is running which access the file from internal system, let’s enumerate it further
There is no output, and the server is running a url.php and we also need to specify a path which Maybe running in some internal port,So we need to find the correct internal port first.for i in $(seq 1 1000); do echo $i; curl -X GET http://10.10.10.55:60000/url.php?path=http://localhost:$i/ 2> /dev/null | tr -d “\n”; done
this will ping all the internal port 1 by 1 and if it get’s any response it will show it to us in the output.

<?xml version="1.0" encoding="UTF-8"?><!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--><tomcat-usersxmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0"><!--
NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. It is strongly recommended that you do NOT use one of the users in the commented out section below since they are intended for use with the examples web application.
--><!--
NOTE: The sample user and role entries below are intended for use with the examples web application. They are wrapped in a comment and thus are ignored when reading this file. If you wish to configure these users for use with the examples web application, do not forget to remove the <!.. ..> that surrounds them. You will also need to set the passwords to something appropriate.
--><!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
--> <userusername="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
</tomcat-users>

The machine is connected to a LXC container, So Every 2 minutes a LXC container requests a file on port 80 of kotarak. He (the container) have vulnerable wget, and the root.txt is there. So we will leak this file using the GNU Wgetexploit, But before that we need to download our pyftpdlib server and run it.

Make sure our FTP server is up and running,Now download the wget python exploit to the target server and for executing the exploit we are using authbind for a possible to host something on port 80 , without authbind that wouldn’t be possible only root have perm for ports lower than 1024, after executing the exploit, wait for 2 min and as soon the cronjob will run, you will get the root flag.